payid 0.3.2 → 0.3.3

package/dist/chunk-4MPVXPLM.js

@@ -0,0 +1,272 @@
+import {
+  randomHex
+} from "./chunk-5ZEKI5Y2.js";
+import {
+  __require
+} from "./chunk-R5U7XKVJ.js";
+
+// src/evaluate.ts
+import { executeRule, preprocessContextV2 } from "payid-rule-engine";
+
+// src/normalize.ts
+function normalizeContext(ctx) {
+  return {
+    ...ctx,
+    tx: {
+      ...ctx.tx,
+      sender: ctx.tx.sender?.toLowerCase(),
+      receiver: ctx.tx.receiver?.toLowerCase(),
+      asset: ctx.tx.asset.toUpperCase()
+    }
+  };
+}
+
+// src/core/dicisionTrace.ts
+function toBigIntSafe(v) {
+  try {
+    if (typeof v === "bigint") return v;
+    if (typeof v === "number" && Number.isFinite(v)) {
+      return BigInt(Math.trunc(v));
+    }
+    if (typeof v === "string" && v !== "") {
+      return BigInt(v);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getValueByPath(obj, path) {
+  return path.split(".").reduce((o, k) => o?.[k], obj);
+}
+function evaluateCondition(actual, op, expected) {
+  switch (op) {
+    case ">=":
+    case "<=":
+    case ">":
+    case "<": {
+      const a = toBigIntSafe(actual);
+      const b = toBigIntSafe(expected);
+      if (a === null || b === null) return false;
+      if (op === ">=") return a >= b;
+      if (op === "<=") return a <= b;
+      if (op === ">") return a > b;
+      if (op === "<") return a < b;
+      return false;
+    }
+    case "==":
+      return actual == expected;
+    case "in":
+      return Array.isArray(expected) && expected.includes(actual);
+    case "not_in":
+      return Array.isArray(expected) && !expected.includes(actual);
+    default:
+      return false;
+  }
+}
+function buildDecisionTrace(context, ruleConfig) {
+  return ruleConfig.rules.map((rule) => {
+    const cond = rule.if;
+    const actual = getValueByPath(context, cond.field);
+    const pass = evaluateCondition(actual, cond.op, cond.value);
+    return {
+      ruleId: rule.id,
+      field: cond.field,
+      op: cond.op,
+      expected: cond.value,
+      actual,
+      result: actual === void 0 ? "FAIL" : pass ? "PASS" : "FAIL"
+    };
+  });
+}
+
+// src/evaluate.ts
+async function evaluate(wasmBinary, context, ruleConfig, options) {
+  if (!context || typeof context !== "object") {
+    throw new Error("evaluate(): context is required");
+  }
+  if (!context.tx) {
+    throw new Error("evaluate(): context.tx is required");
+  }
+  if (!ruleConfig || typeof ruleConfig !== "object") {
+    throw new Error("evaluate(): ruleConfig is required");
+  }
+  let result;
+  try {
+    const preparedContext = options?.trustedIssuers ? preprocessContextV2(
+      context,
+      ruleConfig,
+      options.trustedIssuers
+    ) : context;
+    const normalized = normalizeContext(preparedContext);
+    const wasmForEngine = typeof Buffer !== "undefined" && !(wasmBinary instanceof Buffer) ? Buffer.from(wasmBinary) : wasmBinary;
+    result = await executeRule(
+      wasmForEngine,
+      normalized,
+      ruleConfig
+    );
+  } catch (err) {
+    return {
+      decision: "REJECT",
+      code: "CONTEXT_OR_ENGINE_ERROR",
+      reason: err?.message ?? "rule evaluation failed"
+    };
+  }
+  if (result.decision !== "ALLOW" && result.decision !== "REJECT") {
+    return {
+      decision: "REJECT",
+      code: "INVALID_ENGINE_OUTPUT",
+      reason: "invalid decision value"
+    };
+  }
+  const baseResult = {
+    decision: result.decision,
+    code: result.code || "UNKNOWN",
+    reason: result.reason
+  };
+  if (options?.debug) {
+    return {
+      ...baseResult,
+      debug: {
+        trace: buildDecisionTrace(context, ruleConfig)
+      }
+    };
+  }
+  return baseResult;
+}
+
+// src/utils/subtle.ts
+var subtleCrypto = globalThis.crypto?.subtle ?? __require("crypto").webcrypto.subtle;
+
+// src/utils/fetchJson.ts
+async function fetchJsonWithHashCheck(url, expectedHash) {
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error("RULE_FETCH_FAILED");
+  }
+  const buffer = await res.arrayBuffer();
+  if (expectedHash) {
+    const digest = await subtleCrypto.digest(
+      "SHA-256",
+      buffer
+    );
+    const actualHash = bufferToHex(digest);
+    if (actualHash !== expectedHash) {
+      throw new Error("RULE_HASH_MISMATCH");
+    }
+  }
+  return JSON.parse(new TextDecoder().decode(buffer));
+}
+function bufferToHex(buffer) {
+  return [...new Uint8Array(buffer)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/resolver/resolver.ts
+async function resolveRule(source) {
+  const { uri, hash: hash2 } = source;
+  if (uri.startsWith("inline://")) {
+    const encoded = uri.replace("inline://", "");
+    const json = JSON.parse(atob(encoded));
+    return { config: json, source };
+  }
+  if (uri.startsWith("ipfs://")) {
+    const cid = uri.replace("ipfs://", "");
+    const url = `https://ipfs.io/ipfs/${cid}`;
+    const config = await fetchJsonWithHashCheck(url, hash2);
+    return { config, source };
+  }
+  if (uri.startsWith("http://") || uri.startsWith("https://")) {
+    const config = await fetchJsonWithHashCheck(uri, hash2);
+    return { config, source };
+  }
+  throw new Error("UNSUPPORTED_RULE_URI");
+}
+
+// src/decision-proof/hash.ts
+import { keccak256 } from "ethers";
+function stableStringify(obj) {
+  if (Array.isArray(obj)) {
+    return `[${obj.map(stableStringify).join(",")}]`;
+  }
+  if (obj && typeof obj === "object") {
+    return `{${Object.keys(obj).sort().map(
+      (k) => `"${k}":${stableStringify(obj[k])}`
+    ).join(",")}}`;
+  }
+  return JSON.stringify(obj);
+}
+function hashContext(context) {
+  return keccak256(Buffer.from(stableStringify(context)));
+}
+function hashRuleSet(ruleConfig) {
+  return keccak256(Buffer.from(stableStringify(ruleConfig)));
+}
+
+// src/decision-proof/generate.ts
+import { ethers, ZeroAddress } from "ethers";
+var hash = (v) => ethers.keccak256(ethers.toUtf8Bytes(v));
+async function generateDecisionProof(params) {
+  const now = Math.floor(Date.now() / 1e3);
+  const expiresAt = now + (params.ttlSeconds ?? 60);
+  const network = await params.signer.provider.getNetwork();
+  const requiresAttestation = Array.isArray(params.ruleConfig?.requires) && params.ruleConfig.requires.length > 0;
+  const payload = {
+    version: hash("2"),
+    payId: hash(params.payId),
+    payer: params.payer,
+    receiver: params.receiver,
+    asset: params.asset,
+    amount: params.amount,
+    contextHash: hashContext(params.context),
+    ruleSetHash: hashRuleSet(params.ruleConfig),
+    ruleAuthority: params.ruleRegistryContract ?? ZeroAddress,
+    issuedAt: BigInt(now),
+    expiresAt: BigInt(expiresAt),
+    nonce: randomHex(32),
+    requiresAttestation
+  };
+  const domain = {
+    name: "PAY.ID Decision",
+    version: "2",
+    chainId: Number(network.chainId),
+    verifyingContract: params.verifyingContract
+  };
+  const types = {
+    Decision: [
+      { name: "version", type: "bytes32" },
+      { name: "payId", type: "bytes32" },
+      { name: "payer", type: "address" },
+      { name: "receiver", type: "address" },
+      { name: "asset", type: "address" },
+      { name: "amount", type: "uint256" },
+      { name: "contextHash", type: "bytes32" },
+      { name: "ruleSetHash", type: "bytes32" },
+      { name: "ruleAuthority", type: "address" },
+      { name: "issuedAt", type: "uint64" },
+      { name: "expiresAt", type: "uint64" },
+      { name: "nonce", type: "bytes32" },
+      { name: "requiresAttestation", type: "bool" }
+    ]
+  };
+  const signature = await params.signer.signTypedData(
+    domain,
+    types,
+    payload
+  );
+  const recovered = ethers.verifyTypedData(
+    domain,
+    types,
+    payload,
+    signature
+  );
+  if (recovered.toLowerCase() !== params.payer.toLowerCase()) {
+    throw new Error("SIGNATURE_MISMATCH");
+  }
+  return { payload, signature };
+}
+
+export {
+  evaluate,
+  resolveRule,
+  generateDecisionProof
+};

package/dist/chunk-5ZEKI5Y2.js

@@ -0,0 +1,18 @@
+import {
+  __require
+} from "./chunk-R5U7XKVJ.js";
+
+// src/utils/randomHex.ts
+function randomHex(bytes) {
+  if (typeof globalThis.crypto !== "undefined" && crypto.getRandomValues) {
+    const arr = new Uint8Array(bytes);
+    crypto.getRandomValues(arr);
+    return "0x" + Array.from(arr, (b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  const { randomBytes } = __require("crypto");
+  return "0x" + randomBytes(bytes).toString("hex");
+}
+
+export {
+  randomHex
+};

package/dist/chunk-7U3P7XJE.js

@@ -0,0 +1,67 @@
+// src/issuer/signAttestation.ts
+import { keccak256, toUtf8Bytes } from "ethers";
+async function signAttestation(issuerWallet, payload, ttlSeconds = 60) {
+  const issuedAt = Math.floor(Date.now() / 1e3);
+  const expiresAt = issuedAt + ttlSeconds;
+  const hash = keccak256(
+    toUtf8Bytes(JSON.stringify(payload))
+  );
+  const signature = await issuerWallet.signMessage(
+    Buffer.from(hash.slice(2), "hex")
+  );
+  return {
+    issuer: issuerWallet.address,
+    issuedAt,
+    expiresAt,
+    signature
+  };
+}
+
+// src/issuer/issueEnvContext.ts
+import "ethers";
+async function issueEnvContext(wallet) {
+  const payload = {
+    timestamp: Math.floor(Date.now() / 1e3)
+  };
+  return {
+    ...payload,
+    proof: await signAttestation(wallet, payload, 30)
+  };
+}
+
+// src/issuer/issueOracleContext.ts
+async function issueOracleContext(wallet, data) {
+  const proof = await signAttestation(wallet, data, 120);
+  return { ...data, proof };
+}
+
+// src/issuer/issueRiskContext.ts
+async function issueRiskContext(wallet, score, category, modelHash) {
+  const payload = { score, category, modelHash };
+  const signAttestationData = await signAttestation(wallet, payload, 120);
+  return {
+    score,
+    category,
+    proof: {
+      ...signAttestationData,
+      modelHash
+    }
+  };
+}
+
+// src/issuer/issueStateContext.ts
+async function issueStateContext(wallet, spentToday, period) {
+  const payload = { spentToday, period };
+  return {
+    ...payload,
+    proof: await signAttestation(wallet, payload, 60)
+  };
+}
+
+export {
+  signAttestation,
+  issueEnvContext,
+  issueOracleContext,
+  issueRiskContext,
+  issueStateContext
+};

package/dist/chunk-AOKLY2QN.js

@@ -0,0 +1,24 @@
+import {
+  issueEnvContext,
+  issueOracleContext,
+  issueRiskContext,
+  issueStateContext,
+  signAttestation
+} from "./chunk-7U3P7XJE.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/issuer/index.ts
+var issuer_exports = {};
+__export(issuer_exports, {
+  issueEnvContext: () => issueEnvContext,
+  issueOracleContext: () => issueOracleContext,
+  issueRiskContext: () => issueRiskContext,
+  issueStateContext: () => issueStateContext,
+  signAttestation: () => signAttestation
+});
+
+export {
+  issuer_exports
+};

package/dist/chunk-ATWJEWZH.js

@@ -0,0 +1,47 @@
+import {
+  decodeSessionPolicy
+} from "./chunk-MXKZJKXE.js";
+import {
+  canonicalizeRuleSet
+} from "./chunk-JJEWYFOV.js";
+import {
+  randomHex
+} from "./chunk-5ZEKI5Y2.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/sessionPolicy/index.ts
+var sessionPolicy_exports = {};
+__export(sessionPolicy_exports, {
+  createSessionPolicyPayload: () => createSessionPolicyPayload,
+  decodeSessionPolicy: () => decodeSessionPolicy
+});
+
+// src/sessionPolicy/create.ts
+import { ethers } from "ethers";
+async function createSessionPolicyPayload(params) {
+  const issuedAt = Math.floor(Date.now() / 1e3);
+  const nonce = randomHex(16);
+  const payload = {
+    version: "payid.session.policy.v1",
+    receiver: params.receiver,
+    rule: canonicalizeRuleSet(params.rule),
+    issuedAt,
+    expiresAt: params.expiresAt,
+    nonce
+  };
+  const message = ethers.keccak256(
+    ethers.toUtf8Bytes(JSON.stringify(payload))
+  );
+  const signature = await params.signer.signMessage(message);
+  return {
+    ...payload,
+    signature
+  };
+}
+
+export {
+  createSessionPolicyPayload,
+  sessionPolicy_exports
+};

package/dist/chunk-FIMJNWJ3.js

@@ -0,0 +1,72 @@
+import {
+  evaluate,
+  generateDecisionProof,
+  resolveRule
+} from "./chunk-4MPVXPLM.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/core/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  createPayID: () => createPayID
+});
+
+// src/core/server/server.ts
+function isRuleSource(rule) {
+  return typeof rule === "object" && rule !== null && "uri" in rule;
+}
+var PayIDServer = class {
+  constructor(wasm, signer, trustedIssuers, debugTrace) {
+    this.wasm = wasm;
+    this.signer = signer;
+    this.trustedIssuers = trustedIssuers;
+    this.debugTrace = debugTrace;
+  }
+  async evaluateAndProve(params) {
+    const authorityConfig = isRuleSource(params.authorityRule) ? (await resolveRule(params.authorityRule)).config : params.authorityRule;
+    const evalConfig = params.evaluationRule ?? authorityConfig;
+    const result = await evaluate(
+      this.wasm,
+      params.context,
+      evalConfig,
+      {
+        debug: this.debugTrace,
+        trustedIssuers: this.trustedIssuers
+      }
+    );
+    if (result.decision !== "ALLOW") {
+      return { result, proof: null };
+    }
+    const proof = await generateDecisionProof({
+      payId: params.payId,
+      payer: params.payer,
+      receiver: params.receiver,
+      asset: params.asset,
+      amount: params.amount,
+      context: params.context,
+      ruleConfig: params.authorityRule,
+      signer: this.signer,
+      verifyingContract: params.verifyingContract,
+      ruleRegistryContract: params.ruleRegistryContract,
+      ttlSeconds: params.ttlSeconds
+    });
+    return { result, proof };
+  }
+};
+
+// src/core/server/index.ts
+function createPayID(params) {
+  return new PayIDServer(
+    params.wasm,
+    params.signer,
+    params.trustedIssuers,
+    params.debugTrace ?? false
+  );
+}
+
+export {
+  createPayID,
+  server_exports
+};

package/dist/chunk-JJEWYFOV.js

@@ -0,0 +1,42 @@
+// src/rule/canonicalize.ts
+function canonicalizeRuleSet(ruleSet) {
+  return {
+    version: ruleSet.version,
+    logic: ruleSet.logic,
+    rules: ruleSet.rules.map((rule) => canonicalizeRule(rule)).sort((a, b) => a.id.localeCompare(b.id))
+  };
+}
+function canonicalizeRule(rule) {
+  return {
+    id: rule.id,
+    if: canonicalizeObject(rule.if)
+  };
+}
+function canonicalizeObject(obj) {
+  if (obj === void 0) {
+    throw new Error("Undefined value not allowed in canonical object");
+  }
+  if (typeof obj === "function" || typeof obj === "symbol") {
+    throw new Error("Non-JSON value not allowed in canonical object");
+  }
+  if (obj instanceof Date) {
+    return obj.toISOString();
+  }
+  if (typeof obj === "bigint") {
+    return obj.toString();
+  }
+  if (Array.isArray(obj)) {
+    return obj.map(canonicalizeObject);
+  }
+  if (typeof obj === "object" && obj !== null) {
+    return Object.keys(obj).sort().reduce((acc, key) => {
+      acc[key] = canonicalizeObject(obj[key]);
+      return acc;
+    }, {});
+  }
+  return obj;
+}
+
+export {
+  canonicalizeRuleSet
+};

package/dist/chunk-JRVCGSKK.js

@@ -0,0 +1,30 @@
+import {
+  combineRules
+} from "./chunk-QYH3FNQ4.js";
+import {
+  canonicalizeRuleSet
+} from "./chunk-JJEWYFOV.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/rule/index.ts
+var rule_exports = {};
+__export(rule_exports, {
+  canonicalizeRuleSet: () => canonicalizeRuleSet,
+  combineRules: () => combineRules,
+  hashRuleSet: () => hashRuleSet
+});
+
+// src/rule/hash.ts
+import { keccak256, toUtf8Bytes } from "ethers";
+function hashRuleSet(ruleSet) {
+  return keccak256(
+    toUtf8Bytes(JSON.stringify(ruleSet))
+  );
+}
+
+export {
+  hashRuleSet,
+  rule_exports
+};

package/dist/chunk-MXKZJKXE.js

@@ -0,0 +1,33 @@
+// src/sessionPolicy/decode.ts
+import { ethers } from "ethers";
+function decodeSessionPolicy(sessionPolicy, now) {
+  if (sessionPolicy.version !== "payid.session.policy.v1") {
+    throw new Error("INVALID_SESSION_POLICY_VERSION");
+  }
+  if (now > sessionPolicy.expiresAt) {
+    throw new Error("SESSION_POLICY_EXPIRED");
+  }
+  const payload = {
+    version: sessionPolicy.version,
+    receiver: sessionPolicy.receiver,
+    rule: sessionPolicy.rule,
+    issuedAt: sessionPolicy.issuedAt,
+    expiresAt: sessionPolicy.expiresAt,
+    nonce: sessionPolicy.nonce
+  };
+  const message = ethers.keccak256(
+    ethers.toUtf8Bytes(JSON.stringify(payload))
+  );
+  const recovered = ethers.verifyMessage(
+    message,
+    sessionPolicy.signature
+  );
+  if (recovered.toLowerCase() !== sessionPolicy.receiver.toLowerCase()) {
+    throw new Error("INVALID_SESSION_POLICY_SIGNATURE");
+  }
+  return sessionPolicy.rule;
+}
+
+export {
+  decodeSessionPolicy
+};

package/dist/chunk-QYH3FNQ4.js

@@ -0,0 +1,19 @@
+import {
+  canonicalizeRuleSet
+} from "./chunk-JJEWYFOV.js";
+
+// src/rule/combine.ts
+function combineRules(defaultRuleSet, sessionRule) {
+  return canonicalizeRuleSet({
+    version: defaultRuleSet.version ?? "1",
+    logic: "AND",
+    rules: [
+      ...defaultRuleSet.rules,
+      ...sessionRule
+    ]
+  });
+}
+
+export {
+  combineRules
+};

package/dist/chunk-R5U7XKVJ.js

@@ -0,0 +1,16 @@
+var __defProp = Object.defineProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+export {
+  __require,
+  __export
+};

package/dist/chunk-RCXMRX4F.js

@@ -0,0 +1,54 @@
+import {
+  issueEnvContext,
+  issueOracleContext,
+  issueRiskContext,
+  issueStateContext
+} from "./chunk-7U3P7XJE.js";
+import {
+  __export
+} from "./chunk-R5U7XKVJ.js";
+
+// src/context/index.ts
+var context_exports = {};
+__export(context_exports, {
+  buildContextV2: () => buildContextV2
+});
+
+// src/context/contextV2.ts
+async function buildContextV2(params) {
+  const ctx = {
+    ...params.baseContext
+  };
+  if (params.env) {
+    ctx.env = await issueEnvContext(
+      params.env.issuer
+    );
+  }
+  if (params.state) {
+    ctx.state = await issueStateContext(
+      params.state.issuer,
+      params.state.spentToday,
+      params.state.period
+    );
+  }
+  if (params.oracle) {
+    ctx.oracle = await issueOracleContext(
+      params.oracle.issuer,
+      params.oracle.data
+    );
+  }
+  if (params.risk) {
+    ctx.risk = await issueRiskContext(
+      params.risk.issuer,
+      params.risk.score,
+      params.risk.category,
+      params.risk.modelHash
+    );
+  }
+  return ctx;
+}
+
+export {
+  buildContextV2,
+  context_exports
+};